Date: Thu, 8 Apr 2021 21:55:18 -0400 From: Mike Kelly <pioto@pioto.org> To: Gordon Tetlow <gordon@tetlows.org> Cc: Stefan Blachmann <sblachmann@gmail.com>, Shawn Webb <shawn.webb@hardenedbsd.org>, Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <CAFb0NsLW56M8hnAMKUpDB06V3Qi=vPz0TAs_%2BhYzk7sg7fbHpQ@mail.gmail.com> In-Reply-To: <DE5BE925-0F4F-4312-9788-20E19BA2CD47@tetlows.org> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> <DE5BE925-0F4F-4312-9788-20E19BA2CD47@tetlows.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 7, 2021 at 11:37 PM Gordon Tetlow via freebsd-security <freebsd-security@freebsd.org> wrote: > <snip> > > Can it be ethically acceptable to put users at risk, for example by > > intentionally (?) not setting any limits to what extent installer > > scripts are allowed to collect sensitive user and system data and > > disclose them to interested third parties? > > This is an interesting point. Unfortunately, the technology we have gives= unfettered access to the system. I'm having a hard time thinking how we co= uld achieve the goal of installing software (which in our model requires ro= ot privileges) while also limiting what it is allowed to do on said system.= I'm not aware of any other package system (rpm, deb, etc) that has technic= al limits on pre/post installation scripts. If you are aware of any example= s, I'd love to see it to see if there is something we can incorporate. Patc= hes, as always, are welcome to improve the system. For what it's worth, there is some "prior art" in other package management systems for various levels of technical restrictions: * Gentoo's Portage uses a library called "Sandbox"[1], which uses the LD_PRELOAD mechanism to put it self "first in line", and it intercepts various lower level calls that way to mitigate risk. * Exherbo's Exheres packaging format (derived from Gentoo's) has their own sandboxing mechanisms[2] which are pretty broad in scope; I think under the hood it's using sydbox[3], which says it's using ptrace and seccomp to implement it (so it may be more resilient than an LD_PRELOAD approach). * Debian's FakeRoot[4], which seems to use a similar mechanism, but I think this is only applied during the binary package building. LD_PRELOAD based as well * InstallWatch[5] for RPM; seems like this isn't as maintained, so I can't find as many details, but again, I think this is only used during binary package builds That said, I think all these just help protect against accidental missteps, not malicious intent. There's obviously a lot of implicit trust when you're running someone else's software. [1] https://wiki.gentoo.org/wiki/Sandbox_(Portage) [2] https://exherbo.org/docs/eapi/exheres-for-smarties.html#sandboxing [3] https://github.com/sydbox/sydbox-1 [4] https://wiki.debian.org/FakeRoot [5] https://asic-linux.com.mx/~izto/checkinstall/installwatch.html --=20 Mike Kelly
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFb0NsLW56M8hnAMKUpDB06V3Qi=vPz0TAs_%2BhYzk7sg7fbHpQ>